Privacy Violations In Retail

Angel Maldonado
Empathy.co
Published in
3 min readDec 23, 2021

--

Applicable to EU & UK

Who thinks that privacy is not important? We all care. However, as retailers, we are entangled in consent and cookie propositions that cause confusion for everyone, from customers to leaders and technical teams in between.

Getting on with privacy as an after-thought, is requiring retailers to wire complex consent structures with internal data processes. These seem to be difficult to upkeep.

Empathy’s recommendation is to approach privacy as a human right, therefore designing your products in ways that respect a customer’s online privacy with offline standards. Taking a clear standpoint that sees privacy as a priority.

Dealing with the customer data problem “a priori” as opposed to “a posteriori”, is essentially what privacy by design entitles. Nevertheless, the majority of digital products out there continue to try fit a square on a triangle. Avoiding to change how digital products track or spy on the consumer, necessitates to wire complex consent methods that result in a stream of privacy violations.

As a result, retailers are placing a tremendous burden on technical teams who have to deal with complex solutions that are creating the following typical privacy violations:

Violation 1: Undeclared Cookies

Your Cookie Policy must upkeep a list of all cookies that your store is using. You can find thousands of online shops that fail to meet this requirement. Cookie Policy pages are not synchronised with new cookie integrations and this prevents customers from being informed as per how and why they are being surveilled.

Additionally, if your Cookies or your vendor’s are documented under a browser reference of ‘nasty cookies’, you should consider if these are worthwhile to keep (regardless of whether you are advised or tempted to replace the conflicting domain). A growing number of browsers will be unable to open the page without the following notification:

chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/asset-viewer.html?url=plowe-0

See ICO.ORG and GDPR.EU

Violation 2: Inaccurate Classification of Cookies

The second most common violation in our experience is the inaccurate classification of cookies: Labelling non-essential cookies as essential, or declaring functional cookies as essential. To find an unequivocal classification, it’s advised to check how your vendor or service provider classifies these type of cookies themselves. Note that statistics, advertisements and the like are not considered ‘strictly necessary’. Another way to approach the debate of essential versus functional, is to ask the following question: Can I offer the customer the possibility to buy from my shop as a guest customer? If so: What is ‘essential’ to respect my customer’s desire? If you, as an individual or anyone on your household expects to have this freedom (private check out), why not offer that to your customers?

Violation 3: Setting Third-Party Cookies as First-Party Cookies

Third-Party cookies are placed by third parties and track the shopper across your store and others. However, if you use a SaaS service that places cookies from an external domain, this service must serve your customer’s within your domain only. Some vendors replace their domains (third-party) with your domain to deceive browsers of a potential Third-Party perceived cookie. If your customers exercise their data rights (delete, inform, port) and you find that your store has to resolve this by invoking third-parties, you should ensure that those associated cookies remain at the service of your domain only. This violation is important in determining whether your vendor is truly a mere processor of PII from your customers or a Co-Controller.

Violation 4: Pseudonymisation (de-identification) labelled as Anonymisation.

If your cookies and linked server side data-pipes are creating PII mappings that can be translated back to their original form, then these mappings are not anonymised but pseudonimysed. Note that pseudonymised data is a form of Personal Data (Recital 26 GDPR) and as such is subject to customer data rights.

Conclusion

Are executives and board members aware of how they are managing customer privacy? There seems to be unawareness by looking at how inconsistent cookie policies and consent flows are implemented.

At Empathy.co, we hope speaking openly about these common privacy violations may help leaders in dispelling these misconceptions.

--

--